From: CERT Advisory <cert-advisory@cert.org> To: cert-advisory@cert.org Subject: CERT Summary CS-2001-03 Date: Tue, 28 Aug 2001 11:10:38 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2001-03 August 28, 2001 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in May 2001 (CS-2001-02), we have seen several self-propagating worms, as well as active exploitation of vulnerabilities in Solaris in.lpd, BSD telnet daemon and Microsoft IIS by intruders. In addition, we have seen an increase in intruder activity directed at home users. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. "Code Red" / "Code Red II" worms On June 19, 2001, the CERT/CC published CERT Advisory CA-2001-13, describing a vulnerability in Indexing Services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. This vulnerability allows a remote intruder to run arbitrary code on the victim machine. On July 19, 2001, the CERT/CC began receiving a large number of reports of a worm commonly referred to as "Code Red". The widespread, automated attack and propagation characteristics of this worm, and its variants, have caused bandwidth denial-of-service conditions in isolated portions of the Internet, particularly near groups of compromised hosts. Since that time, we have received reports of variants, as well as reports of another worm with similiar characteristics (Code Red II). These worms have affected at least 300,000 hosts. The CERT/CC highly encourages administrators of IIS servers to review the following documents and take appropriate action. CERT Advisory CA-2001-13: Buffer Overflow In IIS Indexing Service DLL http://www.cert.org/advisories/CA-2001-13.html CERT Advisory CA-2001-19: "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/advisories/CA-2001-19.html CERT Advisory CA-2001-23: Continuing Threat of the "Code Red" Worm http://www.cert.org/advisories/CA-2001-23html CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/incident_notes/IN-2001-08.html CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL http://www.cert.org/incident_notes/IN-2001-09.html 2. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled Along with the large number of "Code Red" and "Code Red II" reports indicating that systems are compromised, the CERT/CC has received a smaller yet still significant number of reports where Windows NT 4.0 IIS 4.0 systems have been adversely affected by the high volume of "Code Red" scanning activity. A recently discovered vulnerability can cause an IIS 4.0 server (patched against "Code Red" according to Microsoft Security Bulletin MS01-033) with URL redirection enabled to crash when scanned by the "Code Red" worm. CERT Incident Note IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled http://www.cert.org/incident_notes/IN-2001-10.html 3. W32/Sircam Malicious Code "W32/Sircam" is malicious code that spreads through email and potentially through unprotected Windows network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information. Detailed information about W32/Sircam can be found in CERT Advisory CA-2001-22. Users are strongly encouraged to visit their anti-virus vendor's website for information on how to properly remove W32/Sircam from an infected computer. CERT Advisory CA-2001-22: W32/Sircam Malicious Code http://www.cert.org/advisories/CA-2001-22.html 4. Buffer Overflow in telnetd The telnetd program is a server for the Telnet remote virtual terminal protocol. There is a remotely exploitable buffer overflow in Telnet daemons derived from BSD source code. This vulnerability can crash the server or be leveraged to gain root access. CERT Advisory CA-2001-21: Buffer Overflow in telnetd http://www.cert.org/advisories/CA-2001-21.html 5. Buffer Overflow in Sun Solaris in.lpd Print Daemon A buffer overflow exists in the Solaris BSD-style line printer daemon, in.lpd, that may allow a remote intruder to execute arbitrary code with the privileges of the running daemon. CERT Advisory CA-2001-15: Buffer Overflow in Sun Solaris in.lpd Print Daemon http://www.cert.org/advisories/CA-2001-15.html 6. Continuing Threats to Home Users The CERT/CC has observed a significant increase in activity resulting in compromises of home user machines. Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections. The CERT/CC strongly encourages home users to review the below referenced documents. These documents illustrate the threats to home users, and outline countermeasures that can be used to mitigate aganist them. CERT Advisory CA-2001-20: Continuing Threats to Home Users http://www.cert.org/advisories/CA-2001-20.html CERT Tech Tip: Home Network Security http://www.cert.org/tech_tips/home_networks.html 7. W32/Leaves The CERT/CC has received a number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine. CERT Incident Note IN-2001-07: W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses http://www.cert.org/incident_notes/IN-2001-07.html _________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Congressional Testimony http://www.cert.org/congressional_testimony/ * Incident Notes http://www.cert.org/incident_notes/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Tech Tips http://www.cert.org/tech_tips/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2001-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO4uyaQYcfu8gsZJZAQFJEgP6A0+vfi/vkpl5YeneQPhyfllaFEtKwQSD xuGWHF6YUQGEHiQZYnwAFV2gWEkY5OGLWGBSsRESr3kHSpcMPfsOkGvty+lyi5aM kfRaZkkdlZdNmMYlxwQxq9IrEaWX4rJzrzcdfq9U3TTB4oBJnP4dDRyUIdW3Oe3E R8vDJQar7EM= =DR64 -----END PGP SIGNATURE-----